On 2024-05-20, Maxim Cournoyer wrote:
> vagrant@reproducible-builds.org writes:
>
>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>>
>> * gnu/packages/compression.scm (xz-5.4): New variable.
>> ---
>>  gnu/packages/compression.scm | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
>> index dd88fce9ca..d89d72c9b7 100644
>> --- a/gnu/packages/compression.scm
>> +++ b/gnu/packages/compression.scm
>> @@ -573,6 +573,21 @@ (define-public xz
>>     (license (list license:gpl2+ license:lgpl2.1+)) ; bits of both
>>     (home-page "https://tukaani.org/xz/")))
>>  
>> +(define-public xz-5.4
>> +  (package
>> +    (inherit xz)
>> +    (name "xz-5.4")
>> +    (version "5.4.5")
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://tukaani.org/xz/xz-" version
>> +                                        ".tar.gz")
>> +                         (string-append "http://multiprecision.org/guix/xz-"
>> +                                        version ".tar.gz")))
>> +              (sha256
>> +               (base32
>> +                "1mmpwl4kg1vs6n653gkaldyn43dpbjh8gpk7sk0gps5f6jwr0p0k"))))))
>> +
>
> Any reason not to use the latest, which is v5.6.1 (fetched from git, to
> avoid the xz backdoor issue)?

For one, 5.6.1 was also released by "Jia Tan" according to:

  https://tukaani.org/xz-backdoor/

To fix bugs in the backdoor partly introduced in 5.6.0... e.g. not to
remove the backdoor, but to make it a working backdoor.

In other words, DO NOT USE 5.6.1. :)


There are some concerns about questionable code by "Jia Tan" in earlier
versions too:

  https://bugs.debian.org/1068024

... although even the 5.4.x version I proposed was, admittedly, being a
bit lazy and just picking a version already present in core-updates as
the easiest path forward that was reasonably close to the version
present in Debian which diffoscope was tested against...

Reverting to 5.3.1 might be a more conservative approach, although I
have not tested it with diffoscope.

Or fixing diffoscope to work with the older xz version in master
(5.2.x?) that guix is already using, which, now that I have spelled out
all of the above, seems possibly a much better idea!


live well,
  vagrant